CVE-2024-13161 Overview
CVE-2024-13161 is an absolute path traversal vulnerability in Ivanti Endpoint Manager (EPM) that allows a remote unauthenticated attacker to read sensitive information from the affected system. The flaw resides in EPM versions prior to the 2024 January-2025 Security Update and 2022 SU6 January-2025 Security Update. CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, confirming active exploitation in the wild. The weakness is classified as [CWE-36] (Absolute Path Traversal) and can be triggered over the network without user interaction or prior authentication.
Critical Impact
An unauthenticated remote attacker can leak sensitive information from Ivanti EPM servers, which has been observed being chained with credential coercion techniques to compromise machine accounts.
Affected Products
- Ivanti Endpoint Manager 2024 (prior to January-2025 Security Update)
- Ivanti Endpoint Manager 2022 SU6 (prior to January-2025 Security Update)
- Ivanti Endpoint Manager 2022 base release through SU5
Discovery Timeline
- 2025-01-14 - CVE-2024-13161 published to NVD and disclosed in Ivanti Security Advisory
- 2025-10-24 - Last updated in NVD database
Technical Details for CVE-2024-13161
Vulnerability Analysis
The vulnerability stems from improper validation of file path inputs in an Ivanti EPM web-facing component. An attacker supplies an absolute path that bypasses intended directory restrictions, causing the server to read files outside its expected scope. Because the endpoint does not enforce authentication, exploitation requires only network reachability to the EPM server. Public research from Horizon3 ties this and related EPM flaws to credential coercion attack chains, where the disclosure primitive is used alongside machine-account NTLM relay scenarios.
Root Cause
The root cause is missing or insufficient canonicalization of user-supplied path parameters in EPM request handlers. The application accepts absolute filesystem paths and returns the referenced content without verifying that the resolved path stays within an authorized directory. This pattern matches the [CWE-36] absolute path traversal weakness.
Attack Vector
Exploitation occurs over the network against the EPM management interface. The attacker submits a crafted request containing a fully qualified path to a sensitive file. The server processes the request and returns the file contents in the response, yielding configuration data, credential material, or other operational secrets. No privileges and no user interaction are required.
// No verified public proof-of-concept code is published for CVE-2024-13161.
// See the Horizon3 attack research and Ivanti advisory referenced below
// for technical details on the credential coercion chain involving EPM.
Detection Methods for CVE-2024-13161
Indicators of Compromise
- Unauthenticated HTTP/HTTPS requests to Ivanti EPM endpoints containing absolute filesystem paths such as C:\ or UNC paths in query parameters or POST bodies.
- Outbound SMB or HTTP authentication attempts from the EPM machine account to attacker-controlled hosts, consistent with the credential coercion chain described by Horizon3.
- Web server access logs showing anomalous file read responses returning binary or configuration content to unauthenticated clients.
Detection Strategies
- Inspect EPM IIS and application logs for requests referencing system paths, sensitive configuration files, or paths outside the EPM web root.
- Correlate machine-account authentication events on domain controllers with source IPs belonging to EPM servers to identify coerced authentication.
- Hunt for new or unexpected processes spawned by EPM service accounts following inbound web requests from external networks.
Monitoring Recommendations
- Enable verbose access logging on the EPM management web service and forward logs to a centralized analytics platform for retention and correlation.
- Monitor for the CISA KEV entry for CVE-2024-13161 and prioritize alerting rules tied to Ivanti EPM exposure.
- Track EPSS scoring trends for this CVE, which currently indicates a very high likelihood of exploitation in the near term.
How to Mitigate CVE-2024-13161
Immediate Actions Required
- Apply the Ivanti EPM January-2025 Security Update for the 2024 branch or the 2022 SU6 January-2025 Security Update without delay, as the vulnerability is confirmed exploited.
- Restrict network access to the EPM management interface to trusted administrative subnets and VPN ranges only.
- Audit EPM machine-account activity in Active Directory for signs of relay or coercion-based abuse.
Patch Information
Ivanti released fixed builds in the Ivanti Security Advisory EPM January 2025. Customers on EPM 2024 must install the 2024 January-2025 Security Update, and customers on EPM 2022 must update to SU6 with the January-2025 Security Update applied. The CVE is also listed in the CISA Known Exploited Vulnerabilities Catalog, making remediation mandatory for U.S. federal agencies under BOD 22-01.
Workarounds
- Place the EPM server behind a reverse proxy or WAF that blocks requests containing absolute path patterns and UNC references in parameters.
- Disable or firewall off external exposure of the affected EPM endpoints until the security update can be deployed.
- Reduce the privileges of the EPM machine account and segment the host from sensitive directory services where feasible.
# Example: restrict EPM management port to an admin subnet (Windows Firewall)
New-NetFirewallRule -DisplayName "Restrict Ivanti EPM Mgmt" \
-Direction Inbound \
-Protocol TCP \
-LocalPort 443 \
-RemoteAddress 10.10.20.0/24 \
-Action Allow
# Block all other inbound access to the EPM management port
New-NetFirewallRule -DisplayName "Block Ivanti EPM Mgmt External" \
-Direction Inbound \
-Protocol TCP \
-LocalPort 443 \
-Action Block
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
